Skip to main content

Hello all,

Having trouble binding a machine to AD,

I'm currently using a Binding Profile set up in config manager with the following fields configured

  1. General
  2. Directory
  3. Certificate (is this necessary?)

General - obvious info

Directory

Directory type
Active Directory

Server address
region.office.domain.com

username + pw of generic account used for domain joining (cofirmed this account works with a manual bing through directory utility)

Client ID office.domain.com

OU
Computers_Macs (corresponds with relevant OU in our AD)

Create mobile account
Require confirmation before creating mobile account
Use UNC path

Certificate
Printserver certificate from our CA (recent - previously I tried binding without a cert as I had read this shouldn't be a problem)

I get fails on all attempts, 'attempt to bind to the server 'region.office.domain.com returned an unspecified error'

Is there something obvious I am doing wrong?

Is there a better way to do this, via script or something? Im not sure how I would get around the machine name settings in that case

Please go easy on me!

PS: I am aware some are of the opinion that it is easier to bind as part of the initial build, but I've build about a hundred machines already without a bind, so redoing them isn't an option at the moment.

Any help appreciated

try this...

MacModel="$(system_profiler SPHardwareDataType | grep 'Model Name')"

computeridtmp="$(scutil --get ComputerName)"
computerid="$(echo ${computeridtmp})"

Standard parameters

domain="DOMAIN NAME HERE"
udn="CasperLDAP" password="$(echo SkBtZm5AdGlvbgo= | openssl enc -base64 -d)"

Advanced options AD Plugin

alldomains="enable"
localhome="enable"
protocol="smb"
mobile="enable"
mobileconfirm="disable"
useuncpath="enable"
user_shell="/bin/bash"
preferred="-nopreferred"
admingroups="domain admins,enterprise admins"
packetsign="allow"
packetencrypt="allow"
passinterval="14" namespace="domain"

Time Sync

Remove Existing Directory Services Config

if [ ! -d "/Library/Preferences/DirectoryService/ActiveDirectory" ]; then
rm -R /Library/Preferences/DirectoryService/ActiveDirectory*
fi

if [ ! -d "/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig" ]; then
rm -R /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
fi

if [ ! -d "/Library/Preferences/DirectoryService/SearchNode" ]; then
rm -R /Library/Preferences/DirectoryService/SearchNode*
fi

if [ ! -d "/Library/Preferences/DirectoryService/ContactsNode" ]; then
rm -R /Library/Preferences/DirectoryService/ContactsNode*
fi

if [ ! -d "/Library/Preferences/edu.mit.Kerberos" ]; then
rm -R /Library/Preferences/edu.mit.Kerberos
fi

if [ ! -d "/etc/krb5.keytab" ]; then
rm -R /etc/krb5.keytab
fi

Clean up the DirectoryService configuration files

rm -vfR "/Library/Preferences/DirectoryService/"
rm -vfR "/Library/Preferences/DirectoryService/."

Activate the AD plugin

defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

Bind to AD

dsconfigad -force -add $domain -computer $computerid -username $udn -password "$password" -ou "$ou"

Configure advanced AD plugin options

if [ "$admingroups" = "" ]; then dsconfigad -nogroups
else dsconfigad -groups "$admingroups"
fi

dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred -packetsign $packetsign -packetencrypt $packetencrypt -passinterval $passinterval -namespace $namespace

Add the OD & AD node to the search path

if [ "$alldomains" = "enable" ]; then csp="/Active Directory/All Domains"
else csp="/Active Directory/$domain"
fi

exit 0

@kerouk, thanks so much for the reply!! but excuse my thickness.

Should I separate that as 8 different scripts set to run, with triggers being the ending of the previously run script?

Looks like @kerouak forgot to enclose his script in the script tags here. The large bolded text are all comments, like this

# Add the OD & AD node to the search path

They aren't separate scripts.

That being said, have you explored using the built in JSS binding config? That still works interestingly enough.
Scripting an AD bind is fine, sometimes even preferable since you have more granular control over it. We sometimes use scripts, but we also use the built in Directory Binding configuration to do this, which really does work well in most cases.
I would at least explore this before resorting to using scripts.

Though I'm not certain why the Config Profile route is giving you trouble, I wonder if the OU you're binding to is the issue. You noted the OU is Computers_Macs, but is there a full OU in there, something like: OU=Computers,OU=Computer_Macs,DC=domain,DC=org,DC=com ?
I think it needs to be a full OU designation like that to work.

One other suggestion is to try manually binding a Mac with Directory Utility using all the same settings in the GUI. If it works, then the same settings in a Binding config, or Configuration Profile, or even a script should work.

@EmDee Have you tried configuring directory binding in the JAMF settings > Computer management > Directory Bindings and then set a policy with the directory binding config you created?

@mm2270 Thanks!

Sadly I can't get the script to work for me when pushed from JAMF, after running sudo jamf -policy in order to fetch the script, I get a load of 'command not found' errors when it runs.

Checking on the OU now

@debrat

Yup I've used the directory bindings feature (global system settings > Directory bindings) and then added that directory binding to a profile - but still no luck, and I can bind with the exact details that I enter, and I have no time mismatch or anything obvious that would prevent the bind from working, I get errors ranging from 'the authentication server could not be contacted' to an error 10001.

Very frustrating

Thanks for the help guys, I really appreciate it

Hey, so turns out that the domain joiner account I was using with my directory binding profile was the problem - I'm not quite sure why, as I had used it to manually bind a machine to AD in order to test it, so I tried my own credentials in the binding profile (not ideal) and everything worked fine.

Terms & ConditionsCookie settingsAccessibility statement